DoE asks utilities for sensitive cybersecurity data, promises to share it anonymously with other utilities

The Dept. of Energy (DoE) has issued a call for to electric-power companies that encourages them to make cybersecurity a top priority by setting up a “cybersecurity governance board” to oversee an internal cybersecurity program for protection and share information with the DoE.

In exchange for information about sensitive information, such as identifying network vulnerabilities or attacks, the government will share this “benchmarking data” that’s given to it anonymously with any other utility that participates in the information-sharing.

These ideas, among others, are contained in what the DoE is calling the “Electricity Subsector Cybersecurity Capability Maturity Model, Version 1.0.” This document, a joint effort of dozens of representatives from the government and the U.S. electric industry, is said to be a White House initiative. It calls for electric-power companies to appoint a senior executive for cybersecurity that will report to the company’s board.

“Senior management doesn’t have a very good understanding of their security posture,” says Andy Bochman, whose job as IBM’s Energy Sector Leader in the IBM Security Systems Division grants him insight into how the whole U.S. power grid works.

Unlike other types of enterprises, many utilities today --whether it’s their enterprise business side or their industrial-controls systems side--do not have a chief information security officer (CISO) or a chief security officer (CSO) at all, says Bochman. But the evolution of the electric grid, especially as the so-called “smart grid” takes shape with more interactive information collection and management with consumers, means they need a CISO or CSO more than ever. He says they need an individual acting as a vice president of security who can report directly to the company CEO or board of directors. He adds it’s better here not to report directly to the CIO but go directly to the top of the company.

This is a central concept contained in the lengthy “Electricity Subsector Cybersecurity Capability Maturity Model” document, and Bochman is among the dozens of representatives from industry, the government and the electric sector that provided input into the document. Others outside of DoE include representatives from Carnegie-Mellon University Software Engineering Institute – CERT program; Duke Energy; Oncor; Vermont Electric Cooperative; UtiliSec; American Electric Power; Dept. of Defense; Centerpoint Energy; Consolidated Edison; Baltimore Gas & Electric; Southern California Edison; and several more.

The DoE guidance, over 90 pages, says the government hopes electric-power companies will each establish a “cybersecurity governance board” that ”will develop a cybersecurity strategy for the utility and recruit a new vice president of cybersecurity to implement a program based on the strategy.” The approval of the cyber strategy is expected to come from the top management at the utility first before it’s carried out through the business groups.

The DoE document also suggests that utilities should be not think cyber-incidents won’t happen and they should be prepared to respond publicly about any “immediate and collateral damage from potential incidents and the public relations issues that follow.”

The topic of cybersecurity and critical infrastructure protection has become fiercely debated recently in Congress, where the current critical-infrastructure cybersecurity legislation has stalled due to Republicans blocking it from a vote. That situation has left the White House angered, and it’s letting it be known that President Obama is considering taking executive action related to cybersecurity controls over industry if the legislation doesn’t move forward in the future.